The covered consequences of a data breach can include paying fines and compensation for loss of income as well as the fees to hire information technology experts, a public relations firm, attorneys, and even a call center to handle patient inquiries.

Practices that don’t have specific cyber insurance often have some limited coverage through their malpractice or general business policies. Brandon Clarke, co-founder of Affenix, a brokerage specializing in cyber insurance, says that a primary care practice with five physicians should have an umbrella cyber policy of at least $1 million, which could cost an estimated $1,200 to $5,000 a year.

“Even though you’re a small practice, the motivation to attack is still there. People who say they haven’t been targeted simply haven’t been targeted yet,” Lee Kim, director of privacy and security at the Healthcare Information and Management Systems Society, said in the article.